Example 21 with RefreshableKeycloakSecurityContext
use of org.keycloak.adapters.RefreshableKeycloakSecurityContext in project keycloak by keycloak.
the class OIDCFilterSessionStore method isCached.
@Override
public boolean isCached(RequestAuthenticator authenticator) {
HttpSession httpSession = request.getSession(false);
if (httpSession == null)
return false;
SerializableKeycloakAccount account = (SerializableKeycloakAccount) httpSession.getAttribute(KeycloakAccount.class.getName());
if (account == null) {
return false;
}
log.fine("remote logged in already. Establish state from session");
RefreshableKeycloakSecurityContext securityContext = account.getKeycloakSecurityContext();
if (!deployment.getRealm().equals(securityContext.getRealm())) {
log.fine("Account from cookie is from a different realm than for the request.");
cleanSession(httpSession);
return false;
}
if (idMapper != null && !idMapper.hasSession(httpSession.getId())) {
log.fine("idMapper does not have session: " + httpSession.getId());
// System.err.println("idMapper does not have session: " + httpSession.getId());
cleanSession(httpSession);
return false;
}
securityContext.setCurrentRequestInfo(deployment, this);
request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext);
needRequestRestore = restoreRequest();
return true;
}
Also used :
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext)
HttpSession(javax.servlet.http.HttpSession)
Example 22 with RefreshableKeycloakSecurityContext
use of org.keycloak.adapters.RefreshableKeycloakSecurityContext in project keycloak by keycloak.
the class OIDCFilterSessionStore method checkCurrentToken.
@Override
public void checkCurrentToken() {
HttpSession httpSession = request.getSession(false);
if (httpSession == null)
return;
SerializableKeycloakAccount account = (SerializableKeycloakAccount) httpSession.getAttribute(KeycloakAccount.class.getName());
if (account == null) {
return;
}
RefreshableKeycloakSecurityContext session = account.getKeycloakSecurityContext();
if (session == null)
return;
// just in case session got serialized
if (session.getDeployment() == null)
session.setCurrentRequestInfo(deployment, this);
if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken())
return;
// FYI: A refresh requires same scope, so same roles will be set. Otherwise, refresh will fail and token will
// not be updated
boolean success = session.refreshExpiredToken(false);
if (success && session.isActive())
return;
// Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
// log.fine("Cleanup and expire session " + httpSession.getId() + " after failed refresh");
cleanSession(httpSession);
httpSession.invalidate();
}
Also used :
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
HttpSession(javax.servlet.http.HttpSession)
Example 23 with RefreshableKeycloakSecurityContext
use of org.keycloak.adapters.RefreshableKeycloakSecurityContext in project keycloak by keycloak.
the class SpringSecurityCookieTokenStore method checkPrincipalFromCookie.
/**
* Verify if we already have authenticated and active principal in cookie. Perform refresh if
* it's not active
*
* @return valid principal
*/
private KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() {
KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = CookieTokenStore.getPrincipalFromCookie(deployment, facade, this);
if (principal == null) {
logger.debug("Account was not in cookie or was invalid");
return null;
}
RefreshableKeycloakSecurityContext session = principal.getKeycloakSecurityContext();
if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken())
return principal;
boolean success = session.refreshExpiredToken(false);
if (success && session.isActive()) {
refreshCallback(session);
return principal;
}
logger.debug("Cleanup and expire cookie for user {} after failed refresh", principal.getName());
CookieTokenStore.removeCookie(deployment, facade);
return null;
}
Also used :
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
Example 24 with RefreshableKeycloakSecurityContext
use of org.keycloak.adapters.RefreshableKeycloakSecurityContext in project keycloak by keycloak.
the class SpringSecurityRequestAuthenticator method completeBearerAuthentication.
@Override
protected void completeBearerAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal, String method) {
RefreshableKeycloakSecurityContext securityContext = principal.getKeycloakSecurityContext();
Set<String> roles = AdapterUtils.getRolesFromSecurityContext(securityContext);
final KeycloakAccount account = new SimpleKeycloakAccount(principal, roles, securityContext);
logger.debug("Completing bearer authentication. Bearer roles: {} ", roles);
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(new KeycloakAuthenticationToken(account, false));
SecurityContextHolder.setContext(context);
request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext);
}
Also used :
KeycloakAuthenticationToken(org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken)
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext)
SimpleKeycloakAccount(org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount)
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext)
SecurityContext(org.springframework.security.core.context.SecurityContext)
KeycloakAccount(org.keycloak.adapters.spi.KeycloakAccount)
OidcKeycloakAccount(org.keycloak.adapters.OidcKeycloakAccount)
SimpleKeycloakAccount(org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount)
Example 25 with RefreshableKeycloakSecurityContext
use of org.keycloak.adapters.RefreshableKeycloakSecurityContext in project keycloak by keycloak.
the class JaxrsBearerTokenFilterImpl method propagateSecurityContext.
protected void propagateSecurityContext(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment, BearerTokenRequestAuthenticator bearer) {
RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(resolvedDeployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null);
// Not needed to do resteasy specifics as KeycloakSecurityContext can be always retrieved from SecurityContext by typecast SecurityContext.getUserPrincipal to KeycloakPrincipal
// ResteasyProviderFactory.pushContext(KeycloakSecurityContext.class, skSession);
facade.setSecurityContext(skSession);
String principalName = AdapterUtils.getPrincipalName(resolvedDeployment, bearer.getToken());
final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(principalName, skSession);
SecurityContext anonymousSecurityContext = getRequestSecurityContext(request);
final boolean isSecure = anonymousSecurityContext.isSecure();
final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession);
SecurityContext ctx = new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return principal;
}
@Override
public boolean isUserInRole(String role) {
return roles.contains(role);
}
@Override
public boolean isSecure() {
return isSecure;
}
@Override
public String getAuthenticationScheme() {
return "OAUTH_BEARER";
}
};
request.setSecurityContext(ctx);
}
Also used :
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
SecurityContext(javax.ws.rs.core.SecurityContext)
RefreshableKeycloakSecurityContext(org.keycloak.adapters.RefreshableKeycloakSecurityContext)
KeycloakPrincipal(org.keycloak.KeycloakPrincipal)
Aggregations
RefreshableKeycloakSecurityContext (org.keycloak.adapters.RefreshableKeycloakSecurityContext)52
KeycloakSecurityContext (org.keycloak.KeycloakSecurityContext)30
KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)10
OidcKeycloakAccount (org.keycloak.adapters.OidcKeycloakAccount)8
KeycloakAccount (org.keycloak.adapters.spi.KeycloakAccount)5
SimpleKeycloakAccount (org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount)5
KeycloakPrincipal (org.keycloak.KeycloakPrincipal)4
AdapterTokenStore (org.keycloak.adapters.AdapterTokenStore)4
HttpScope (org.wildfly.security.http.HttpScope)4
IOException (java.io.IOException)3
Principal (java.security.Principal)3
HttpSession (javax.servlet.http.HttpSession)3
Session (org.apache.catalina.Session)3
GenericPrincipal (org.apache.catalina.realm.GenericPrincipal)3
KeycloakAuthenticationToken (org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken)3
Before (org.junit.Before)2
OIDCHttpFacade (org.keycloak.adapters.OIDCHttpFacade)2
HttpFacade (org.keycloak.adapters.spi.HttpFacade)2
SimpleHttpFacade (org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade)2
JWSInput (org.keycloak.jose.jws.JWSInput)2
